Turtles All the Way Down: Applications

  applications computers operating_systems platforms software trust

Now our hypothetical trusted and open computing platform needs applications so you can get real work done. Text editors, scripting languages, officeware, and probably a desktop of some kind. To stick with our security practice of keeping systems as spare as possible, I recommend only installing applications and their dependencies as you need them. In the last post I suggested picking a package management system of some kind if one isn't already a core component of the OS that we recompiled and installed. If you get in the habit of building and using packages now you'll save yourself a lot …

Read more...

Turtles All the Way Down: Bootstrapping an operating system.

  attacks backdoors bsd compiling computers information_security linux mitigation operating_systems risks software trust

Now we need an operating system for the trusted, open source computer. As previously mentioned, Windows and MacOSX are out because we can't audit the code, and it is known that weaponized 0-days are stockpiled by some agencies for the purpose of exploitation and remote manipulation of systems, and are also sold on the black and grey markets for varying amounts of money (hundreds to multiple thousands of dollars). It has been observed by experts many a time that software being open source is not a panacea for security. It does, however, mean that the code can be audited for …

Read more...

Turtles all the way down: SoCs and Storage

  computers engineering firmware fpga hardware microprocessors opensource peripherals storage system_on_a_chip trade_offs trust

This brings us along to designs that are rather common even though we don't normally think of them as either common or systems. By this, I refer to SoC's - Systems On A Chip. As the name implies, they are full (or nearly so) computers implemented as single mother-huge silicon chips (relatively speaking). On the die you'll find a CPU or microcontroller, supporting electronics for same, an MMU, and enough interfaces to do whatever you want, be it plug in a USB keyboard and mouse, an Ethernet adapter, or a simple USB-to-serial converter circuit. An excellent example of a SoC is …

Read more...

Turtles all the way down: Hardware

  computers engineering hardware microprocessors opensource trust vhdl

So, let's get down to the nitty-gritty.

Let's lay one thing out first: At some point you're going to have to start trusting your toolchain because it simply won't be possible to accomplish some of the necessary tasks yourself. The lowest possible level sseems as good a place as any to start. I mean silicon wafers, the basic component of integrated circuitry. Let's face it, nobody's in a position to turn ordinary sand and handfuls of trace elements into silicon wafers themselves. This is a very complex operation that you can't do in your basement these days. There are lots …

Read more...

Porting Godwin's Law to the field of cryptography.

  backdoor crypto godwin proposal thompson trust

On the Internet, there exists a meme called Godwin's Law. Simply put, "As a Usenet discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches one," (where probabilities are specified as floating point values between 0.0 (0%) and 1.0 (100%)). It is usually at this point that the discussion is considered completely derailed and no longer worth following.

It seems that a similar phenomenon is occurring more and more often in the twenty-first century, in which online discussions of cryptographic or security software will eventually lead to someone bringing up Ken Thompson's famous paper Reflections …

Read more...

Just when you thought keeping tabs on your kids couldn't get any more creepy.

  cellphones kids parenting respect surveillance taser tracking trust

Taser has become one of the more notorious companies in the United States. Best known for it's (technically) non-lethal electrostun weapons, the name of which has become synonymous for most any stunner, they've recently gotten into the mobile surveillance market with a product they call Protector. This product is actually an app which you install in your kid's mobile phone; it lets you keep an eye on all of the phone numbers which are called or place calls to the phone as well as giving access to all text messages sent or received. Certain numbers can be blacklisted by the …

Read more...